In this post we will look step by step installation and configuration for Azure Active directory and Azure AD Connect utility. Once you finish the below content you will get answers for the below questions.
- How to install and configure Azure Active Directory on the Azure portal?
- How to add your company domain under Azure portal?
- How to install Azure AD Connect on your domain controller with password synchronisation password writeback features enabled?
So before we begin let’s go through the Azure AD Connect deployment best practices and read the importance of running the IdFix tool before the Synchronization.
- How to install and configure Azure Active Directory on the Azure portal?
a) Login to your Azure portal and search for Azure Active Directory on the marketplace.
b) On the next window enter your Organization name and enter the initial domain name to get started. (Initial domain name will be created with onmicrosoft.com. This can be later removed once you add your actual domain)
c) Once details are entered, click on Create button.
d) Now click on the Azure Active Directory on the left side of the portal and then click on the Domain names tab to begin the configuration.
2. How to add your company domain under Azure portal?
e) on the Domain Names pane you will notice the domain name which you had added during the AAD creation. In order to add a new domain Click on the + Add domain name on the top pane.
f) Next enter the desired domain and click Add Domain.
g) On the next window you have are provided with the settings to be added on your Domain registrar in order to verify your domain. We are not verifying the domain here. So let’s cancel that window.
**Non-verified domain by default supports up to 50k objects but when you verify the domain the limit is increased to 300k objects. If you need more than 300k you can open a support request to get it increased.
h) So if you come back to the Domain names tab you will notice the new domain is added as a status with Unverified. This is ok.
3. How to install Azure AD Connect on your domain controller with password synchronisation password writeback features enabled?
I would expect that you have a Domain controller ready for the Azure AD Connect installation. Make sure you download the Azure AD Connect setup file on the server.
a) Execute the setup file and start the process. To begin the installation click on the Customize button.
b) Next window choose a custom installation location if you wish to or keep the default and click on Install button.
c) Next window we will select the password Synchronization option. Before we proceed let’s see what are these options?
Password Synchronization – This option allows your users to sign in to the cloud using the same password that they use on-premises. Password synchronization does not store or send clear text passwords.
Pass-through authentication – Pass-through authentication enables Azure active directory to authenticate users using your on-premises identity infrastructure.
Federation with AD FS – This option allows users to login to do federated sign-in using AD FS. While logged in to the corporate network , your users can access cloud resources without entering their passwords again.
Single sign-on – It allows the users access the cloud resources without entering the password when they sign-in from a domain joined computer.
d) On the next window it will ask you to enter your Azure ID credentials to authenticate with the cloud.
In case if you are using a outlook.com or live.com account you may receive an error message as below. If you encounter such issues go to your portal and create a new user account with Global Administrator access. Then try to login with that account will solve the login issue.
“Unable to validate credentails. An unexpected error has occured.”
e) If you want to create a new account follow as per below screenshot.Do not forget to select the Directory Role for the user.
f) Next is Connect your directories window. Here you will click on Add Directory and then on the next dialog box AD forest account, you will need to enter your Enterprise Admin credentials.
g) Once the credentials are entered the directory will be added and it will show as below.
h) In Azure AD Sign-in configuration window check the box next to the Continue without any verified domain. (Only when your domain is not verified on the azure portal) Then Next
i) Now select the OU that you want to sync with Azure Active directory. Here you have the flexibility to select the OU that you want to sync. Choose your selection accordingly.
j) On the next window you need to mention the source anchor for the user object.
Azure Source Anchor – Best Practices
If you have multiple forests and do not move users between forests and domains, then objectGUID is a good attribute to use even in this case.
If you move users between forests and domains, then you must find an attribute that does not change or can be moved with the users during the move. A recommended approach is to introduce a synthetic attribute. An attribute that could hold something that looks like a GUID would be suitable. During object creation, a new GUID is created and stamped on the user. A custom sync rule can be created in the sync engine server to create this value based on the objectGUID and update the selected attribute in ADDS. When you move the object, make sure to also copy the content of this value.
Another solution is to pick an existing attribute you know does not change. Commonly used attributes include employeeID.
k) On the next window select Synchronize all users and devices and click Next.
l) Here you will select the features that you want to enable. We will select the password writeback feature here.
Exchange Hybrid Deployment -The Exchange Hybrid Deployment feature allows for the co-existence of Exchange mailboxes both on-premises and in Office 365. Azure AD Connect is synchronizing a specific set of attributes from Azure AD back into your on-premises directory.
Exchange Mail Public Folders –The Exchange Mail Public Folders feature allows you to synchronize mail-enabled Public Folder objects from your on-premises Active Directory to Azure AD.
Azure AD app and attribute filtering – By enabling Azure AD app and attribute filtering, the set of synchronized attributes can be tailored. This option adds two more configuration pages to the wizard. For more information, see Azure AD app and attribute filtering.
Password synchronization – If you selected federation as the sign-in solution, then you can enable this option. Password synchronization can then be used as a backup option. For additional information, see Password synchronization.
If you selected Pass-through Authentication this option can also be enabled to ensure support for legacy clients and as a backup option. For additional information, see Password synchronization.
Password writeback – By enabling password writeback, password changes that originate in Azure AD is written back to your on-premises directory. For more information, see Getting started with password management.
Group writeback – If you use the Office 365 Groups feature, then you can have these groups represented in your on-premises Active Directory. This option is only available if you have Exchange present in your on-premises Active Directory. For more information, see Group writeback.
Device writeback – Allows you to writeback device objects in Azure AD to your on-premises Active Directory for conditional access scenarios. For more information, see Enabling device writeback in Azure AD Connect.
Directory extension attribute sync – By enabling directory extensions attribute sync, attributes specified are synced to Azure AD. For more information, see Directory extensions.
m) On Ready to configure window once you click on Install it will start the synchronization process.
n) Once the configuration is complete it will show the summary. so if you are enabled the Active directory recycle bin you won’t see any error as below. Enabling recycle bin is a best practice.
o) Next you can go to your all program menu on the server and open the program named Synchronization Service Manager. It will give complete overview of the AD Sync. It’s a good tool for troubleshooting purposes
p) Finally you can verify the synced objects from the Azure portal. Login to your Azure portal and navigate to Azure Active Directory> All Users tab. it will display the entire user list from the selected OU.
If you have any questions or comments about this please let me know by commenting below!